Polish researchers have released technical details and attack code for 30 security issues affecting Oracle's Java Cloud Service. Some of the flaws make it possible for attackers to read or modify users' sensitive data or to execute malicious code.

Security Explorations said it would normally withhold public airings until after any vulnerabilities have been fixed. But apparently Oracle representatives failed to resolve some of the more crucial issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.

Oracle apparently has admitted to the researchers that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centres in the future.

Adam Gowdiak, CEO of Security Explorations said Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against Salesforce.com. The 30 security issues disclosed by Security Explorations can be found here.

The latest edition of ThoughtWorks’ Technology Radar for January 2014 said that the use of Javascript is increasing as the ecosystem around it as a serious application platform continues to evolve.

Sam Newman, ThoughtWorks’ Global Innovation Lead wrote that JavaScript has been seen as a serious language for the last two or three years and it is being used as a serious platform. ThoughtWorks’ Technology Advisory Board moved Node.js from ‘trial’ to ‘adopt’ on the radar. Node.js' success has been that the number of people that traditionally saw themselves as client-side developers and found the world of server-side computing available to them Newman wrote.

“The other part of that is obviously that Node.js’ server technology has some interesting capabilities available to it; it can support large numbers of connections, it can spin up in a very, very short space of time unlike say Java,” he said.

The primary driver for Node.js’ success has been the fact that it is JavaScript — [offering] the ability to have the same language on the front-end and the backend systems, he added. JavaScript has emerged both as a platform for server-side code “but also a platform to host other languages.

There are still some challenges facing JavaScript. The sheer size of the install base means that it’s going to be a while before we have new language features available.

Spanish insecurity experts from Informatica64 used a JavaScript Trojan horse to steal information from spammers and scammers, which is a bit like giving AIDS back to monkeys. In a presentation at the Black Hat security conference, security consultant Chema Alonso showed off a somewhat dodgy method to snoop on some very questionable people online.

The pair replaced cached JavaScript with an attacker's copy and used this to inject the JavaScript file into a victim's browser. Alonso set up an anonymous proxy server and then published its Internet address on a proxy forum. Within a day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches.

According to Dark Reading, Alonso found a variety of low-level criminals using their proxy server. There were fraudsters posing as British immigration officials offering work permits, a bloke pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket there was another fraud involving flogging non-existent Yorkshire Terriers. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for a specific site, he told the conference.

He thought that it was likely that companies and governments are already using this technique to eavesdrop on criminal activity. He said that he could collect that amount of data in only one day doing nothing with two small JavaScript files. He thought it was too easy for governments and spooks to do the same thing.

The only way for people to sure that they are safe is that they use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache.